topic Re: IPsec Failover in Network Security

IPsec Failover

sumy756 — Mon, 06 Jun 2022 08:35:06 GMT

Hello community,

I have created a ipsec with two ASA both location having 2 ISP link. I have down NAT for both side.

what command need to put on both firewall that will activate failover. once primary ISP down them secondary.

should be up..

Sumy,

Sheraz.Salim — Mon, 06 Jun 2022 08:43:37 GMT

to check which firewall is active and which one is passive you give command on the ASA "Show failover" or "show failover | i host"

Failover will actiavte itself if you have put the interface monitoring on. you can check this "show monitor interface"

Normally the interface come up as default when you configure the failover apart from sub-interface you have to bring it in as monitoring.

"I have created a ipsec with two ASA both location having 2 ISP link. I have down NAT for both side."

for this you need to configure ip sla for it to work.

Jitendra Kumar — Mon, 06 Jun 2022 08:40:44 GMT

Hi Sumy,

Please if the tunnel is up and working fine use the below command for failover.

 crypto map outside_map 3 set peer 8.8.8.8 2.2.2.2

keep primary IP first then secondary ip.

Thanks,

Jitendra

Sheraz.Salim — Mon, 06 Jun 2022 08:49:39 GMT

sorry i did not read the question properly,

if you running ipsec on version IKEV2 in that case you need to be on ASA version 9.14. failover ipsec for ikev2 is support in version 9.14

sumy756 — Mon, 06 Jun 2022 08:48:58 GMT

@Sheraz.Salim for the reply. Having standalone ASA,s both sides. no failover.

sumy756 — Mon, 06 Jun 2022 08:51:18 GMT

thanks, Cool Correct one... I have tested...

Sumy,

MHM Cisco World — Mon, 06 Jun 2022 14:42:13 GMT

this best solution from Cisco.